The landscape of contemporary conflict has changed rapidly in the last thirty years. Cyberwarfare has increased the scope of and scale of warfare such that damage is no longer primarily limited by the threshold of the battlefield; wars are waged between societies rather than armies. António Guterres, the secretary-general of the UN, has predicted, “the next war will begin with a massive cyberattack to destroy military capacity . . . and paralyze basic infrastructure such as electric networks”. Thus far, however, the international community has failed to create multilateral regulations to control its usage, instead deciding to equate technological and conventional warfare by framing the law as it exists. This is perhaps because cyberspace continues to constitute a particularly nuanced area of contemporary warfare. The difficulty in its regulation is found in the difficulty to define it. In cyberwarfare, unlike most traditional conflicts, lines of liability are often convoluted.
Current regulatory efforts directed at cyberwarfare attempt to frame the technological into the physical. The NATO Cooperative Cyber Defence Centre of Excellence drafted the Tallinn Manual 2.0 in 2017 (3.0 currently in production) which aims to illustrate how current international norms are applicable to cyberspace. This treats the law as it is rather than proposing new regulations, however, in order for International Humanitarian Law to be applicable (the law that regulates the conduct of war), an armed conflict has to be declared. This can be problematic. Paragraph 70 of Prosecutor v. Tadic defines armed conflict as, “whenever there is a resort to armed force between states”. A cyberattack may not have the same physical damage as a military one, yet can exert a similar or worse effect on the civilian population.
Since its first extensive usage in the late 2000s, an act of cyberwarfare has yet to trigger international humanitarian law. For example, Iran and Israel have been involved in slowly escalating tit-for-tat cyberattacks for the past year. In April, Israeli Prime Minister Benjamin Netanyahu seemed to confirm that it was behind a large-scale blackout at an Iranian nuclear facility saying after the event that, “the struggle against Iran and its proxies and the Iranian armament efforts is a huge mission”. Following attacks on petrol stations in late October, Iran have alleged retaliated with attacks on the Israeli hospital system, shutting down all systems in the north-central part of the country. This has led Reuven Eliyahu, director of information security and cyber at the Health Ministry, to state, “We are in a third world war on cyber,” yet there is no distinctive point in which these escalations could be defined as an ‘armed conflict’.
There are activities that many would argue constitute a violation of sovereignty that are not quantifiable in terms of physical and so would not trigger the declaration of armed conflict. The widespread examples of Russian election interference in the previous 5 years are an example of this. These operations are often carried out through targeted advertising and misinformation campaigns and so their effect is hard to quantify. Additionally, it is often the case that the people who benefited from the interference gain power: they have little incentive to undermine their own legitimacy. The Biden administration has responded to this with the expulsion of 10 Russian diplomats as well as broader sanctions against Russian officials and companies. Social media, however, provided the platform for these campaigns to spread. Many companies have retrospectively introduced measures to mitigate this, the strictest of which was Twitter has banning political ads.
Accountability is the most pressing issue that faces international regulation as cyberspace is fundamentally asymmetric. Small-scale attacks by state or non-state actors against outdated transportation, health or energy networks could cause the most damage on a damage and are the least preventable. Governments are forced to rely on private companies to improve their own networks to maintain national security. Many of these industries are not incentivised improve their cybersecurity until it’s too late. In 2017, during the WannaCry ransomware attacks which caused up to £6 billion in global damages, the NHS was brought to a standstill and forced to cancel thousands of operations and appointments. Ironically, the attack used an exploit created by the NSA that had been leaked online. WannaCry has been partially attributed to Lazarus Group, a group who have previously been linked to North Korea, but it has been reported as unlikely that a state-actor was involved. Increasingly, the line between cybercrime and cyberwarfare is blurred.
Cyberwarfare does not necessarily need to be a case of interstate conflict. It is the perfect weapon in any authoritarian leader’s arsenal, capable of exerting more control over a population than any other method. In July, an investigation led by Amnesty International and Forensic Architecture demonstrated how Pegasus, the software sold by NSO group, had been used to gain access to thousands of phones. Using software that can take complete control of the victim’s phone, including encrypted messages and the camera, some of the most authoritarian governments in the world gained access to thousands of phones including over 180 journalists. Alarmingly, Jamal Khashoggi, one of the journalists whose phone was hacked was brutally murdered by assassins dispatched by Saudi Arabia.
The privatisation of cyberwarfare is a worrying development as it simply increases the asymmetry of cyberspace. Creating more secure technology, however, does not provide a complete solution. Making technology harder to infiltrate will simply increase demand for private companies as fewer people can successfully infiltrate targets. Just as a physical arms dealer might argue that they cannot be completely liable for the usage of every bullet or gun they sell, cyber warfare companies are reluctant for the burden of regulation to be placed upon them. An international legal framework is needed both in the purchase and supply of such technology. The Biden administration made their stance clear: NSO group was placed on a US blacklist last week.